Palo Alto Networks PCNSE Online Practice Questions and Exam Preparation

Palo Alto Networks PCNSE Online Questions & Answers

• Question 441:

  A firewall engineer creates a NAT rule to translate IP address 1.1.1.10 to 192.168.1.10. The engineer also plans to enable DNS rewrite so that the firewall rewrites the IPv4 address in a DNS response based on the original destination IP address and translated destination IP address configured for the rule. The engineer wants the firewall to rewrite a DNS response of 1.1.1.10 to 192.168.1.10.

  What should the engineer do to complete the configuration?

  A. Enable DNS rewrite under the destination address translation in the Translated Packet section of the NAT rule with the direction Forward.
  B. Create a U-Turn NAT to translate the destination IP address 1.1.1.10 to 192.168.1.10 with the destination port equal to UDP/53.
  C. Enable DNS rewrite under the destination address translation in the Translated Packet section of the NAT rule with the direction Reverse.
  D. Create a U-Turn NAT to translate the destination IP address 192.168.1.10 to 1.1.1.10 with the destination port equal to UDP/53.
  A. Enable DNS rewrite under the destination address translation in the Translated Packet section of the NAT rule with the direction Forward.

  ---

  Explanation

  forward-If the DNS response matches the Original Destination Address in the rule, translate the DNS response using the same translation the rule uses. For example, if the rule translates IP address 1.1.1.10 to 192.168.1.10, the firewall rewrites a DNS response of 1.1.1.10 to 192.168.1.10.

  https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/nat/source-nat-and-destination-nat/destination-nat-dns-rewrite-use-cases#id0d85db1b-05b9-4956-a467-f71d558263bb

• Question 442:

  Which two virtualized environments support Active/Active High Availability (HA) in PAN-OS 8.0? (Choose two.)

  A. KVM
  B. VMware ESX
  C. VMware NSX
  D. AWS
  A. KVM
  B. VMware ESX

  ---

  Explanation

• Question 443:

  Based on the image, what caused the commit warning?

  

  A. The CA certificate for FWDtrust has not been imported into the firewall.
  B. The FWDtrust certificate has not been flagged as Trusted Root CA.
  C. SSL Forward Proxy requires a public certificate to be imported into the firewall.
  D. The FWDtrust certificate does not have a certificate chain.
  A. The CA certificate for FWDtrust has not been imported into the firewall.

  ---

  Explanation

• Question 444:

  Which three use cases are valid reasons for requiring an Active/Active high availability deployment? (Choose three )

  A. The environment requires real, full-time redundancy from both firewalls at all times
  B. The environment requires Layer 2 interfaces in the deployment
  C. The environment requires that both firewalls maintain their own routing tables for faster dynamic routing protocol convergence
  D. The environment requires that all configuration must be fully synchronized between both members of the HA pair
  E. The environment requires that traffic be load-balanced across both firewalls to handle peak traffic spikes
  A. The environment requires real, full-time redundancy from both firewalls at all times
  C. The environment requires that both firewalls maintain their own routing tables for faster dynamic routing protocol convergence
  E. The environment requires that traffic be load-balanced across both firewalls to handle peak traffic spikes

  ---

  Explanation

  Active/Active high availability is a deployment mode that allows both firewalls in an HA pair to actively process traffic and share the load. Active/Active HA is suitable for environments that require real, full-time redundancy from both firewalls at all times, as there is no failover time or session loss in case of a firewall failure. Active/Active HA is also suitable for environments that require that both firewalls maintain their own routing tables for faster dynamic routing protocol convergence, as each firewall can run its own routing protocols and exchange routes with other routers independently. Active/Active HA is also suitable for environments that require that traffic be load-balanced across both firewalls to handle peak traffic spikes, as each firewall can process a portion of the traffic and increase the overall throughput and performance. Active/Active HA is not suitable for environments that require Layer 2 interfaces in the deployment, as Layer 2 interfaces are not supported in Active/Active HA mode. Active/Active HA is also not suitable for environments that require that all configuration must be fully synchronized between both members of the HA pair, as some configuration settings are not synchronized in Active/Active HA mode, such as virtual router configuration, virtual wire configuration, and QoS configuration.

  References: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/high-availability/set-up-activeactive-ha https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/high-availability/set-up-activeactive-ha/determine-your-activeactive-use-case

• Question 445:

  Which log file can be used to identify SSL decryption failures?

  A. Configuration
  B. Threats
  C. ACC
  D. Traffic
  D. Traffic

  ---

  Explanation

  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClboCAC

• Question 446:

  Which two statements are true about DoS Protection and Zone Protection Profiles? (Choose two).

  A. Zone Protection Profiles protect ingress zones
  B. Zone Protection Profiles protect egress zones
  C. DoS Protection Profiles are packet-based, not signature-based
  D. DoS Protection Profiles are linked to Security policy rules
  A. Zone Protection Profiles protect ingress zones
  D. DoS Protection Profiles are linked to Security policy rules

  ---

  Explanation

  https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/zone-protection-and-dos-protection/zone-defense/zone-protection-profiles

• Question 447:

  Which tool provides an administrator the ability to see trends in traffic over periods of time, such as threats detected in the last 30 days?

  A. Session Browser
  B. Application Command Center
  C. TCP Dump
  D. Packet Capture
  B. Application Command Center

  ---

  Explanation

  https://live.paloaltonetworks.com/t5/Management-Articles/Tips-amp-Tricks-How-to-Use-the-Application-Command-Center-ACC/ta-p/67342

  The Application Command Center (ACC) page visually depicts trends and a historic view of traffic on your network. It displays the overall risk level for all network traffic, the risk levels and number of threats detected for the most active and highest-risk applications on your network, and the number of threats detected from the busiest application categories and from all applications at each risk level. The ACC can be viewed for the past hour, day, week, month, or any custom-defined time frame.

• Question 448:

  Which two methods can be configured to validate the revocation status of a certificate? (Choose two.)

  A. CRL
  B. CRT
  C. OCSP
  D. Cert-Validation-Profile
  E. SSL/TLS Service Profile
  A. CRL
  C. OCSP

  ---

  Explanation

  https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/certificate-management/certificate-revocation.html#idaa3aa4f6-4791-4dbb-b834-58c22e208be8

• Question 449:

  A company hosts a publically accessible web server behind a Palo Alto Networks next generation firewall with the following configuration information.

  Users outside the company are in the "Untrust-L3" zone The web server physically resides in the "Trust-L3" zone. Web server public IP address: 23.54.6.10 Web server private IP address: 192.168.1.10

  Which two items must be NAT policy contain to allow users in the untrust-L3 zone to access the web server? (Choose two)

  A. Untrust-L3 for both Source and Destination zone
  B. Destination IP of 192.168.1.10
  C. Untrust-L3 for Source Zone and Trust-L3 for Destination Zone
  D. Destination IP of 23.54.6.10
  C. Untrust-L3 for Source Zone and Trust-L3 for Destination Zone
  D. Destination IP of 23.54.6.10

  ---

  Explanation

• Question 450:

  Use the image below. If the firewall has the displayed link monitoring configuration what will cause a failover?

  

  A. ethernet1/3 and ethernet1/6 going down
  B. ethernet1/3 going down
  C. ethernet1/6 going down
  D. ethernet1/3 or ethernet1/6 going down
  A. ethernet1/3 and ethernet1/6 going down

  ---

  Explanation

  Link Monitoring Failure Condition is All / Link Group also is All. Even with Any / All, Link Group takes precedences... Suppose we have only one entry in the Link group. If the link monitoring has a failure condition of any and Link group has a group failure condition of all, then all is preferred, because whatever's configured in the Link group takes precedence.